• Posts
  • RSS
  • ◂◂RSS
  • Contact

  • Why So Many Cookie Banners?

    October 9th, 2022
    privacy, tech
    Sometimes you'll see people saying things like:

    Using cookies to track state on a website, that is only used for that website, is fine. You don't need to ask for consent.—rrwo

    Or:

    You don't need a cookie banner to be allowed to create cookies. You only need them if you're using them for something like tracking.—y4mi

    Something like, "as long as you design your site properly and don't abuse storage you don't need to ask your European visitors for permission." While I'm not working in this area anymore, am not a lawyer, and am not attempting to give you legal advice, if you read the regulation this interpretation is completely off.

    Cookie banners are a response to the 2002 ePrivacy Directive (full text, guidance). While the ePrivacy Directive may be superseded soon by the (pretty similar) ePrivacy Regulation, it's still the current rule. It requires you to get consent from visitors before you store information on their computer (cookies, localStorage, etc) unless this behavior is "strictly necessary in order to provide an information society service explicitly requested by the subscriber or user" [1]. This isn't "in order to" or even "necessary in order to", it's "strictly necessary in order to". Which is quite firm!

    This excludes, for example, using a cookie for basic single-site analytics (4.3), where you want to figure out where users are getting stuck on your site or to populate a "users who viewed this product ended up buying this other product" box. Even though this information helps you improve your site for future visitors, including potentially this one, it isn't 'strictly necessary' for serving this user right now.

    If the user puts an item in their shopping cart you can set a cookie, because that's how you honor their request, but it's still quite restrictive (2.3):

    a merchant could set the cookie either to persist past the end of the browser session or for a couple of hours in the future to take into account the fact that the user may accidentally close his browser and could have a reasonable expectation to recover the contents of his shopping basket when he returns to the merchant's website in the following minutes.

    Maintaining a shopping cart across days isn't "strictly necessary" and so requires explicit consent. Despite it being a useful thing users may be expecting: if I put things in my cart, don't check out, and come back the next day, I'm going to be frustrated if the site has forgotten my selections!

    Similarly, say you have a "language" dropdown or a "dark mode" checkbox". Unless you have explicitly marked the UI control with text like "uses cookies" (3.6) you can't persist this setting for future visits.

    The overall effect of this is that most sites will not be ePrivacy-compliant unless they either (a) get cookie consent from users or (b) hire a lawyer to review each of the things they do in the context of ePrivacy, and make careful changes to keep everything within the tight bounds of "strictly necessary". It's not surprising we see so many cookie banners!


    [1] Technically it's also allowed if it's "for the sole purpose of carrying out the transmission in the electronic communications network and provided that the information is not stored for any period longer than is necessary for the transmission and for traffic management purposes, and that during the period of storage the confidentiality remains guaranteed". But the "strictly necessary" criterion covers almost everything in practice.

    Comment via: facebook, lesswrong

    Recent posts on blogs I like:

    Be less scared of overconfidence

    deferring to markets • deferring to experts • deferring to low-information heuristics • why they fail • blindness to outliers • what to do instead

    via benkuhn.net November 30, 2022

    Corncob Dolls

    I went to a farm and at the farm I got to see a corncrib and the corn that had fell out of the corncrib that no one wanted I got to use my fingers to take off the corn kernels and once the cobs were empty I put them in a bag and then once I got back to the…

    via Anna Wise's Blog Posts November 7, 2022

    Light Switch

    When I got my loft bed it was just so annoying every morning to have to get out of bed, climb down the ladder, turn the light on, and climb back up, just so I could see stuff. I decided to make a string for my light switch because I really wanted to be abl…

    via Lily Wise's Blog Posts November 7, 2022

    more     (via openring)


  • Posts
  • RSS
  • ◂◂RSS
  • Contact